STIP right now, thank you very much!
Excuse the Spice Girls pun (maybe showing my age), but it refers to a song from 1997, the year I started my long Visa career. One part of VisaNet processing that was interesting and challenging from the start was STIP, or Visa Stand-in Processing. This fourth part of my education series begins to delve deeper into this subject. There is so much within this service that it needs a few articles to cover it.
Concept
The concept behind STIP is to ensure uninterrupted transaction authorizations across a wide range of scenarios and to allow Visa to stand in and approve or decline transactions on behalf of card issuers. STIP can help avoid declined transactions, which can lead to customer dissatisfaction, lost revenue, and brand impact.
An important part of STIP is that it helps the Issuer manage the balance between customer service and risk, much as they would on their own host system. Part 2 of the article will focus more on how important it is to strike this balance, and the services available to do that.
STIP scenarios
It is logical to split STIP processing into two sections: "Issuer Available" and "Issuer Unavailable." Different scenarios apply to these.
Issuer Available
This refers to processing when transactions first enter VisaNet from the acquiring institution, before processing attempts to send the transaction to the Issuer host system.
Issuer Unavailable
This covers cases where the transaction cannot be sent to the Issuer because the host is unavailable or there are connection problems, as well as situations involving response-timeliness issues or data-quality problems.
The scenarios above are covered in more detail in the third article in my education series.
General STIP services for processing
There are many services in STIP. In part one of this guide, I am covering several essential services used for general STIP processing. For each, I indicate whether the service can be used in Issuer Available, Issuer Unavailable, or both.
PIN translation / PIN Verification Service (PVS)
PVS lets Visa verify PINs on the issuer's behalf in STIP situations. Two options are available:
- PVS Always: all PINs are checked.
- PVS Stand-in: PINs are checked only in Stand-in Processing.
PVS acts like an insurance policy. Nothing requiring a PIN will work in STIP unless PVS is used.
I strongly recommend issuers enable at least the PVS Stand-in option, which allows issuers to check PINs when transactions reach them, while STIP handles PIN verification if there are problems causing an Issuer Unavailable situation.
Account Screen Authorization File (ASAF) (previously called Exception File)
ASAF supports both negative and positive processing for cards that need special handling. Two options are available:
- All Respond: The ASAF is checked on all transactions, whether the Issuer is available or not.
- Stand-In only: The ASAF is checked only in Stand-in Processing.
Negative processing covers blocking lost, stolen, or compromised cards to prevent authorization. Card numbers are added to the file with an action code (the bank's chosen response), and ASAF is checked when authorizations arrive from the acquirer and declined as appropriate.
For positive authorization, adding a card with a positive action code such as 11 (Approval for VIP) means some STIP rules are bypassed, but it is not an unconditional approval.
For both uses, Issuers should keep ASAF cardholder records up to date to ensure authorizations are handled correctly in VisaNet and to avoid unnecessary file-residency fees.
Card Verification Value (CVV / iCVV)
CVV is encoded on track 1 and track 2 data and is one of several security checks used within VisaNet processing to ensure the card has not been compromised. iCVV provides the same function for chip-encoded cards. With the decline of magnetic-stripe usage, iCVV is now the primary check. Below references to CVV apply to iCVV as well.
Options for CVV processing:
- CVV All: CVV is checked on all transactions, and the result (pass or fail) is sent to the Issuer.
- CVV All Respond: CVV is checked and sent to the Issuer only if the CVV result passes; otherwise, the transaction is declined.
- CVV STIP: CVV is only checked during stand-in processing.
- CVV None: the issuer performs all CVV checking.
(See the note below for how CAM can affect CVV processing.)
Card Verification Value 2 (CVV2)
CVV2 is the three-digit value printed on the back of the card and applies to card-present (rarely) and card-not-present transactions. It serves a similar purpose to CVV by helping ensure the card has not been compromised.
CVV2 must be checked on all incoming authorizations where the value is present. While CVV2 processing occurs in the Issuer Available scenario, VisaNet does not decline a transaction for incorrect CVV2, and if the Issuer is available to receive it the result is passed to them.
Chip Authentication Service
This service supports processing for Card Authentication Method (CAM) on EMV chip cards. CAM is used to confirm the card is genuine.
Options for CAM processing:
- CAM Always: CAM is checked on all transactions, whether the Issuer is available or not.
- CAM in Stand-in: CAM is checked only for Stand-in transactions.
- CAM Never: the Issuer performs all CAM checking.
As with PVS, I strongly recommend at least the Stand-in option.
Note: CAM processing can override a Card Verification Value (CVV) failure because Visa regards CAM as a stronger check. This occurs whether CAM passes or fails. For clients seeing CVV failures, enabling CAM at least in Stand-in can be a helpful workaround. The only time CAM does not override CVV failures is when the CAM Never option is used.
Card Authentication Verification Value (CAVV)
CAVV is a risk control service authenticating cardholders in electronic commerce (e-commerce) authorization transactions. The value is generated by the Issuer's Access Control Server when a cardholder goes through the authentication part of the processing (Visa Secure). The CAVV is returned to the acquirer for them to push to Visanet and get the final authorization online.
Options for CAVV processing:
- All: CAVV is checked on all transactions, and the result (pass or fail) is sent to the issuer.
- Standard Issuer CAVV Service - CAVV is checked and sent to the issuer only if the CAVV result passes; otherwise, the transaction is declined.
- Issuer validation: the issuer performs all CAVV checking.
Next time
In part 2 of the STIP guide, I will be looking at services dedicated to risk and spending controls.
For any guidance about using STIP or any of the many VisaNet services, Payment Authorization Expertise would love to partner with you to review current usage and help with troubleshooting/optimization. Get in touch if you would like us to partner with you.